Wednesday, January 27, 2010

MSS Exceeded Workaround

After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.

I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:

Dropping TCP packet from outside: to inside: , reason: MSS exceeded, MSS 1260, data 1460

Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.

The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is 192.168.10.9. First, create and access-list for any host accessing that server.

access-list MSS_Exceeded_ACL permit tcp any host 192.168.10.9

And then create a class map.

class-map MSS_Exceeded_MAP
match access-list MSS_Exceeded_ACL
exit
tcp-map mss-map
exceeded mss allow

Create the policy map.

policy-map MSS_Exceeded_MAP
class MSS_Exceeded_MAP
set connection advanced-options mss-map

Apply the map to the outside interface.

service-policy MSS_Exceeded_MAP interface outside

If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.

access-list MSS_Exceeded_ACL permit tcp any any

For more information about MSS and logging these events, check out the document from Cisco.
Posted by at No comments:
Labels:

CISCO ASA SSL CERT

GENERATE CSR

  1. From the Cisco Adaptive Security Device Manager (ASDM), select “Configuration” and then “Device Management.”
  2. Expand “Certificate Management,” then select “Identity Certificates,” and then “Add.”
  3. Select the button to “Add a new identity certificate” and click the “New…” link for the Key Pair.

  4. Select the option to “Enter new key pair name” and enter a name (any name) for the key pair. Next, click the “Generate Now” button to create your key pair.

    5. The key size should be changed to 2048 and Usage should be left on General purpose

  5. Next you will define the "“Certificate Subject DN” by clicking the Select button to the right of that field. In the Certificate Subject DN window, configure the following values by selecting each from the “Attribute” drop-down list, entering the appropriate value, and clicking “Add.”
    • CN – The name through which the firewall will be accessed (usually the full-qualified domain name, e.g., vpn.domain.com).
    • OU – The nameof your department within the organisation (frequently this entry will be listed as “IT”, “Web” Security or is simply left blank).
    • O – The legally registered name of your organisation/company.
    • C – Your country's two-digit code.
    • ST – The state in which your organisation is located.
    • L – The city in which your organisation is located.

  6. Next, click “Advanced” in the “Add Identity Certificate” window.

  7. In the FQDN field, type in the fully-qualified domain name through which the device will be accessed externally, e.g., vpn.domain.com (or the same name as was entered in the CN value in step 5).
  8. Click "OK" and then "Add Certificate." You will then be prompted to save your newly created CSR information as a text file (.txt extension).

    9. Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.


Choose your SSL CA

Installing your SSL Certificate in the Adaptive Security Device Manager (ASDM)

  1. You will receive your SSL certificate and intermediate certificate by email. Copy each certificate from the email, paste each one into a separate text editor and save the files to a safe location with an extension of .crt, such as gs_sslcertificate.crt and gs_intermediate.crt.
  2. In ASDM select “Configuration” and then “Device Management.”
  3. Expand “Certificate Management” and select “CA Certificates” and then “Add.”
  4. With the option selected to “Install from a file”, browse to the gs_intermediate.crt file and then click the “Install Certificate” button at the bottom of the "Install Certificate" window.

    5. Your Intermediate certificate file is now installed. You will now need to install the gs_sslcertificate.crt file.

  5. In ASDM select “Configuration” and then “Device Management”.
  6. Expand “Certificate Management” and select “Identity Certificates”.
  7. Select the appropriate identity certificate from when your CSR was generated (the “Issued By” field should show as not available and the “Expiry Date” field will show Pending…). Click the Install button.
  8. Browse to the appropriate identity certificate (the gs_sslcertificate.crt provided by GlobalSign) and click “Install Certificate.”

    9. At this point you should receive confirmation that the certificate installation was successful.

Configuring WebVPN with ASDM to Use the New SSL Certificate

  1. In ASDM select “Configuration” and then “Device Management”.
  2. Click “Advanced” and then “SSL Settings”
  3. From "Certificates," choose the interface used to terminate WebVPN sessions, and then choose “Edit”.
  4. From the “Certificate” drop-down, select the newly installed certificate, then “OK”, and then “Apply”

    5. Configuring your certificate for use with the selected kind of WebVPN session is now complete.

SSL Certificate Installation from the Cisco ASA command line (alternate installation method)

  1. From the ciscoasa(config)# line, enter the following text:

    2. crypto ca authenticate my.globalsign.trustpoint

    Where my.globalsign.trustpoint is the name of trustpoint created when your certificate request was generated.

  2. Next, enter the entire body of the gs_intermediate.crt file followed by the word “quit” on a line by itself (the gs_intermediate.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).
  3. When asked to accept the certificate, enter “yes”.
  4. When the certificate has been successfully imported, enter “exit”.

    5. Your Intermediate certificate file is now installed. You will now need to install the gs_sslcertificate.crt file.

  5. From the ciscoasa(config)# line, enter the following text:

    6. crypto ca import my.globalsign.trustpoint certificate

    Where my.globalsign.trustpoint is the name of trustpoint created when your certificate request was generated.

  6. Next, enter the entire body of the gs_sslcertificate.crt file followed by the word “quit” on a line by itself (the gs_sslcertificate.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).

    7. You should then receive a message that the certificate was successfully imported.

Configuring WebVPN to Use the New SSL Certificate from the Cisco ASA command line

  1. From the ciscoasa(config)# line, enter the following text:

ssl trust-point my.globalsign.trustpoint outside

wr mem

Where my.globalsign.trustpoint is the name of trustpoint created when your certificate request was generated and "outside" is the name of the interface being configured.

Make sure to save the configuration.



Posted by at No comments:
Labels:

Cisco IOS to CatOS Etherchannel Configuration

Here are the relevant parts of the configuration to setup an etherchannel between an IOS device and a CatOS device. First lets start with the CatOS device, in this case a 6509. We will be using ports 3/9 and 3/10.

We first need to set the ports we want to use to be a trunk. Here we are forcing dot1q.

6509#set trunk 3/1-2 nonegotiate dot1q

Now we need to setup the port channels. These channels will be used as 1 and aggregate bandwidth between them.

6509#set port channel 3/9-10

Note: There is an option at the end of this command to specify the admin group. This is how the CatOS groups the ports. If you do not specify the admin group, the CatOS will automatically assign one. This is something to watch out for if you set each port separately.

Now, turn the port channel on.

6509#set port channel 3/9-10 mode on

That is it for the CatOS. The config for the IOS is quite a bit different. First, create a port channel interface and make it a trunk.

3750(config)#interface port-channel 1
3750(config-if)#switchport trunk encapsulation dot1q
3750(config-if)#switchport mode trunk

Assign ports to the port channel group.

3750(config)#interface GigabitEthernet1/0/1
3750(config-if)#channel-group 1 mode on
3750(config-if)#interface GigabitEthernet1/0/2
3750(config-if)#channel-group 1 mode on

Just connect the ports and everything should come up. To check on the CatOS.

6509#show port channel
Port Status Channel Admin Ch Mode Group Id
—– ———- ——————– —– —–
3/9 connected on 746 1734
3/10 connected on 746 1734

Port Device-ID Port-ID Platform
—– ——————————- ————————- —————-
3/9 3750 GigabitEthernet1/0/1 cisco WS-C3750-48P
3/10 3750 GigabitEthernet1/0/2 cisco WS-C3750-48P

Here, both ports 3/9 and 3/10 show as connected and on the same admin channel.

And for the IOS.

3750#show etherchannel summary
Flags: D – down P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) – Gi1/0/1(P) Gi2/0/1(P)

The last line is the important one. Notice that is shows both ports are in port channel 1.

To configure and IOS to IOS etherchannel, just repeat the exact steps for the IOS on the second switch.
That’s all there is to it.
Posted by at No comments:
Labels:

Cisco ASA iPhone VPN Config

I recently purchased a shiny new iPhone 3G and wanted to be able to connect back to my house where I have a Cisco ASA 5505. I have noticed a lot of questions about how to get this to work, so here it is…

First, make sure you are running ASA Software version 8.0(3) or better. The previous versions have a bug when the iPhone connects that will boot all other users connected to the VPN.

On the ASA, we need to get the VPN configured. First, the ACLs for split-tunneling, no NAT and VPN access:

access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
nat (inside) 0 access-list NoNAT_ACL

Since this config will authenticate to the local ASA, we need to have a username and password setup:

username iPhone password your_password

Now setup a DHCP pool for VPN clients:

ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200

Now create the crypto maps and apply them to the outside interface:

crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside

Setup ISAKMP:

crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

Now create a remote access VPN policy. Make sure to add the split-dns value for your local domian. If you leave this out, the iPhone will not resolve DNS on the internal network!

group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value DNS_Server_IP
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value domain.local

Add the tunnel-group to allow the VPN connection:

tunnel-group RA_VPN type ipsec-ra
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key your_password

Now to configure the iPhone. First, go to Settings -> General -> Network -> VPN. Then Add VPN Configuration. Select IPSec at the top and enter your information. The Server is the IP address or hostname of the ASA. The Account is the Username you created in the config above. The Group Name is the tunnel-group name created on the ASA.


iPhone VPN Config

iPhone VPN Config

iPhone VPN Config

To connect the VPN, go to Settings -> VPN (this appears after you create a VPN connection). Just change the option to ON.

iPhone VPN Config

iPhone VPN Config


iPhone VPN Config

Once you see the VPN icon on the top bar, you are connected!

Posted by at No comments:
Labels:

Tuesday, January 26, 2010

Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2


Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
password 7 ############
line aux 0
line vty 0 4
password 7 ############
transport input telnet
session-timeout 60


Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:
  • first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
  • if the server does not respond (and only then) - local user database is checked
aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

  • Windows Group: NetAdmins
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=15
Network policy for level 7:

  • Windows Group: SomeoneElse
  • Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
  • Cisco Attributes AV-Pair: shell:priv-lvl=7

Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password
Posted by at No comments:
Labels:

Thursday, January 7, 2010

Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL

Cisco has changed its ways! Cisco ASA now supports NetFlow. The new feature in Cisco ASA version 8.2 is called NSEL (NetFlow Security Event Logging) and it allows all ASA models to support NetFlow. Below I have provided the NetFlow configuration of a Cisco ASA.

Three event types can trigger a NetFlow record.

flow-export destination inside x.x.x.x xxxx(Collector & Port)
access-list flow_export_acl permit ip host x.x.x.x host x.x.x.x

class-map flow_export_class
match access-list flow_export_acl

policy-map flow_export_policy
class flow_export_class
flow-export event-type flow-creation destination x.x.x.x(Collector IP)
service-policy flow_export_policy global

To see all event type records with NetFlow
event-type all
If you disable logging for flow export events this will increase performance
logging flow-export syslogs disable

  • Conf Configuration-Firewall->Service Policy Rules.
  • Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.
NetFlow can be configured in the Cisco ASDM GUI by clicking:
* flow-create
* flow-denied
* flow-teardown
This isn’t your typical NetFlow
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)